On Mon, 2011-06-27 at 01:31 +0200, Pierre Joye wrote: > hi! > > I did not read the report, do you have the details about the breakage? > It could be acceptable in 5.3.
If the hash changes everybody who stored encrypted passwords or such using the old format can't verify them anymore. My suggestion without looking really deep into these things: Change the default, and an "old_blowfish" for compatibility and advertise it ... not sure it's the best thing. johannes > On Sun, Jun 26, 2011 at 11:37 PM, Stas Malyshev <smalys...@sugarcrm.com> > wrote: > > Hi! > > > > On 6/26/11 1:36 AM, Rasmus Lerdorf wrote: > >> > >> See http://seclists.org/oss-sec/2011/q2/632 > >> We are using this code in etc/standard/crypt_blowfish.c > >> > > > > I've committed the patch for 5.4/trunk, not sure what to do about 5.3 since > > there's some BC breakage in the fix for old hashes. See the ML thread for > > more details. Any thoughts about if we want this in 5.3? > > -- > > Stanislav Malyshev, Software Architect > > SugarCRM: http://www.sugarcrm.com/ > > (408)454-6900 ext. 227 > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > -- > Pierre > > @pierrejoye | http://blog.thepimp.net | http://www.libgd.org > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
